Blog Post

Don’t Trust That Passcode

Ryan Naraine reported over at ZDNet Zero Day on a new iPhone vulnerability which lets anyone have full access to the majority of iPhone functionality despite your clever 4-digit passcode lock.

As mentioned by “greenmymac” and covered by The Register, full access to contacts (and, hence, browser, e-mail, SMS…) is as simple as a press of the “Emergency Call” key from the passcode entry screen, followed by a double-tap on the home button, which – as The Register puts it – “takes the miscreant into favourites…” (why we in the States leave out the “u” is a sad mystery).

As Alex Hutton points out, you can mitigate the threat by disabling the “home button double-tap” feature of your device.

Ryan gave the CVE database a scan and noticed that this is not Apple’s first encounter with this error. CVE-2008-0034, which was identified back in January and fixed in the 1.x series firmware, noted this issue and is yet-another sign of Apple’s lack of commitment to security on the iPhone (guess they should have fixed more than just bugs in 2.0.2).

It would be greatly appreciated if any readers in an enterprise configuration (i.e. with a stronger passcode and a centralized provisioning environment) would drop a note in the comments letting me (and other TAB readers) know if you are impacted by this vulnerability as well. All TAB readers are invited to post your your thoughts in the comments on Apple’s latest security faux-pax.

10 Responses to “Don’t Trust That Passcode”

  1. @Mick: We deleted comments for flaming/trolling. We don’t delete comments because they disagree with the author. If people come here and flame others and do childish things like call people names, they get deleted…no questions asked.

  2. Alan Olsen

    Mike,
    I may miss understand what you trying to say but let me follow up what I have done since I made my last post. I followed the work flow of selecting emergency call and dbl. tapping the home key. I did this with all three home button choices Home, Favorites, and iPod.
    My Results:
    Home-> brought me back to the pass code entry

    Favorites-> brought me to just that where I could call, text, or and a favorite number from someone who already was listed in my favorites. They also had to have more then one number in my address book ie. cell, work, or home.

    iPod-> Would only allow me to play my music.

    Now I may have missed a step or maybe version has something to do with it, I am at 2.02. All I can say is what I found.

    As for the attack on TAB about deleting post, unless there where people between you and me I did not see anyone get deleted.

    One thing you need to remember this is a blog a helpful blog but remember a blog is based on opinion and the best possible facts at the time, thats the bloggers job, report opinion based on the facts that they have access too. Our job as readers is take that information along with our own knowledge and create our own opinion, which we can post. I believe to attack a form such as this is counter productive.

    Also I did not mean to actually turn off the home button just the function of accessing favorites. Now why I believe it is a function not a flaw, my question would be is intent, was it Apples intent for the phone to function this way? I happen to work for a security specialist who will in fact argue my point and he will most likely prove me wrong but until then, I do not believe there to be a true risk. However steps could have been omitted as to not give a person the ability to hack into phones, imagine the possible law suits!

  3. I havnt locked a cell phone is 10 years though I would consider it if I had all my info on my iPhone like my work laptop. I have had many cell phone lost and stolen and always wondered what the new user would do with them.
    I have had the same number since 1995 and never had anyone try anything funny, but this is a new day and age.

  4. Alan said: “If your able to disable this by turning the home button off the it seems more like a function and since you can go no deeper into the phone then there is really no risk…”

    This kind of comment shows exactly why it is so important that blogs report this right. I notice that since I last viewed this thread a number of comments have been deleted, but no one has taken the trouble to correct the incorrect info that’s in the post itself.

    Namely: you _cannot_ turn the home button off, or disable it. You can change the function, but if you do not you do not allow the the ICE example given. If you leave it, you can of course go as deep into the phone as you like.

    EDITORS: Why not correct the post instead of just deleting comments? Plus the key link in the post (from “points out”) is now leading to a Not Found page, which isn’t exactly helping to clarify what you were trying to say.

  5. Alan Olsen

    Is this a flaw or is it a function, possibly a life saving function. If the world is switching to the iPhone which it seems, by the amount I saw at lunch today. out of 27 people in the room 19 had iPhones and it seemed like they where all sharing information about the phone and what they can do. Anyways, If more and more people know about this flaw which I am not sure that it is, would it not be able to be used in an emergency.

    Example:
    your in an accident and can not speak for yourself but the EMT’s or ER team have your phone and they know by selecting emergency call and dbl. tapping the home button they can get to your favorites. Now My wife is in there with I.C.E. (in case of emergency) next to her name. Now they can contact her quickly and find out if I have any medical conditions that would effect the way they treat me. The very least they have notified someone to what has happened.

    So flaw or function? If your able to disable this by turning the home button off the it seems more like a function and since you can go no deeper into the phone then there is really no risk to anyone except the person who ends up calling my mother, now I would feel for them!

  6. @Ed: I think some of us readers, including Ticalian, were a little surprised by the tone of your first comment. The writer of the post simply misspoke when using the word “disabling”, which was an innocent mistake. In comment #4, TC explains how to change the setting, and actually uses the words “kind of disabling”, which really should have been enough clarification for anyone who was confused by the writer’s original diction.

  7. @Ed, its in Settings/General/Home. I set mine to go to ipod when double tap the home key, or you could double tap and it would go to home, so thats kind of dissabling the double tap.

  8. Hey, I’d love to know exactly how you “disable the “home button double-tap” feature of your device. Care to share? Or perhaps do a little basic research before regurgitating what someone says on Twitter.

  9. Ticalian

    I understand that there’s a way to prevent this from happening from now. If you go into settings then general there’s an option to set the home button to take you to “ipod” this will keep our contacts et. safe and only allow a malicious user access to your music.